This message was received from a spoofed email address of an official at the Foreign Ministry of Japan. The message came from China, it is crafted to install a remote administration tool known as Darkmoon (similar to ProRAT). I will post more details as soon as I can.

Dear Friend of Tibet. Sincerely thank you for the support of the Free Tibet Campaign. I extend you Christmas blessings on behalf of the Dalai Lama. Attachment is a letter sent to you from H.H. the Dalai Lama. Tashi Delek!

Merry Christmas cards come in bulk. I normally don't bother with greeting cards viruses but these are 0 Day pdfs and I am peeved at Adobe for making a decision to wait with the fixes in order not to disrupt the update cycle. The cards show total lack of imagination and aesthetics but impressive antivirus evasion abilities, especially on the second card Merry Christmas.pdf 0ac635c06b571ad340b115f3d744f951 - only three AV providers have a clue. Please see both samples below, you can download them from the link above.

Tuesday, December 22, 2009

Software informer.
This information was sent by a reader. I am posting it here with minimal editions. If you would like to download, test it, and resolve the controversy, the link is below. Thank you for your help.

From: John Isaacs [mailto:jdsaacs@clw.org]
Sent: Tuesday, December 22, 2009 3:37 AM
To: "Undisclosed-Recipient:;"
Subject: 2010 Congressional, Political and Holiday Schedule from Council for a Livable World

Update Dec 22 7:40 am: Several new variants of CVE-2009-4324 arrived since yesterday in different targeted messages. I do not have time to post them now but hope to do it, eventually. I think the trickle of messages containing this type of exploit now turned into a shower and is likely to become a downpour. I hope the AV vendors and Adobe are working hard on their detection and fixes because the current VT results are a bit worrisome.

--------------------------------------

Somehow I doubt that the Ministry of Foreign Affairs of Japan http://www.mofa.go.jp/ joined the the zero day games, however, the headers seem to point to their network or someone using it.--- never mind, they don't. "mofa.go.jp 117.11.119.251" is not really mofa.go.jp (Updated Dec.22 7:30 am).

Update. Dec 22 15:30

The spoofed message is crafted to look like a message from an existing high ranking official in the Ministry of Foreign Affairs of Japan . Contents of the message and pdf are in Japaneseand are pieces of documents discussing emissions controls. The documents contained names of various officials and full correct contact information of the alleged sender from MOFA. Since I do not speak Japanese, I had to seek advice from people who can read Japanese and make such decisions. I have been told that while they are obviously fakes, it would take too much time and effort to make sure the documents contain no sensitive information and therefore the message contents should not be released. I cannot publish them after receiving the recommendations above, there will be no samples on this one (M)

Here is a terrible machine translation but it is easy to understand that the mailing is fueled by the recent news, namely, the talks between the ARATS (Association for Relations Across the Taiwan Straits) and SEF (Straits Exchange Foundation) in Taichung tomorrow, December 22, 2009.

The message sender was
Yenfei.Su@gmail.com
The message originating IP was 168.95.4.116 The message recipients were
XXX@XXX.XXX
The message was titled 座談會邀請資料
The message date was Tue, 22 Dec 2009 11:08:24 +0800 The message identifier was The virus or unauthorised code identified in the email is:>>> Possible MalWare 'Exploit/Zordle.gen' found in >>> '5963899_4X_PM5_EMS_MA-OCTET=2DSTREAM__=A5=C9=A4s=B1M=C3D3=AD=D7.pdf>>> '. Heuristics score: 201

Adobe is taking their sweet time to fix the problem while new variants show up. You don't need ESP to predict that Christmas cards will be followed by New Year's invites and IRS forms before most people receive and install the updates. I was surprised that Symantec, being the CVE-2009-4324 pack leader in the past few days, did not detect it. Tip of the hat to Messagelabs for catching it again.

From: Uyghur Hunova uyghurhunova@yahoo.com

Subject: merry christmas

Sent: Fri 12/18/2009 2:09 PM

My dear friend

Merry Christmas

The message sender was
uyghurhunova@yahoo.com
The message originating IP was 98.137.27.222 The message recipients were
XXX@XXX.XXX
The message was titled merry christmas
The message date was Fri, 18 Dec 2009 11:11:27 -0800 (PST) The message identifier was <474701.46814.qm@web112506.mail.gq1.yahoo.com>
The virus or unauthorised code identified in the email is:
>>> Possible MalWare 'Exploit/Acroread-CVE-2009-4324' found in
>>> '8044614_1000X_PA3_APDF__pdf_obj_31_0.js'. Heuristics score: 401

This message is targeted but not perfect - not all recipients of that message can read Chinese. I posted the machine translation in the end of the post, it is about some alleged recent strip photo scandal in the People's Liberation Army.

This message shows that detection of the new threat remains tricky. Messagelabs apparently used Symantec scanners to stop and tag the threat yet Symantec did not detect it when it was scanned on Virustotal. Not to mention a distressingly low overall detection rate - 7 out of 41.

The message sender was

gpwbinfo@mna.gpwb.gov.tw

The message originating IP was 203.252.1.122 The message recipients were

網路上流傳一組名為「寶貝悶」的國軍女兵脫衣照，因行徑大膽前所未見，隨即引起轟動；原本外界以為是假照片，後來經查，撩衣照片主角竟是現任聯勤司令部中部運輸大隊一中隊行政士的陳學葳女中士。照片曝光後，陳學葳向軍方坦承，這是去年二月後勤學校受訓結束時，與同學慶祝的「瘋狂照」。 ... (See the full text in the end of the post.) .....__________ Information from ESET NOD32 Antivirus, version of virus signature database 4700 (20091218) __________The message was checked by ESET NOD32 Antivirus.http://www.eset.com -

This message shows that Adobe zero day exploit has been in the wild and actively exploited by attackers since at least November 30, 2009 not December 11 or 14, 2009 Note the name of the file note200911.pdf is slightly different from Dec. 11, 2009 note_20091210.pdf but it is the same MD5 61baabd6fc12e01ff73ceacc07c84f9a

This is Fureer Angelica, diplomaic broadcaster for CNN in DC. There's growing concern about the U.S.-North Korea bilateral talks.So, we're planning an Interview about them.Attached is the outline of the interview.

p.s. Detailed schedules will be followed soon if you accept the offer.

Messagelabs detects it easily
The message sender was
fureer.angelica@gmail.com

The message originating IP was 209.85.222.117 The message recipients were
XXX@XXX.XXX

The message was titled Interview Request The message date was Sun, 13 Dec 2009 14:13:46 +0900 The message identifier was <9c3b16360912122113s2a953d1dqfdb5a6ddb8f35c5a@mail.gmail.com>
The virus or unauthorised code identified in the email is:
Possible MalWare 'JS/PDFEncoded' found in
'5963838_1001X_PA3_APDF__pdf_obj_110_0.js'. Heuristics score: 651

F-Secure folks (thanks mikkohypponen) released their analysis of Adobe 0 day - as mentioned in the post by Extraexploit, it attempts to download ab.exe from hxxxp://foruminspace.com/documents/dprk/ab.exe

Malware samples are available for download by any responsible whitehat researcher. By downloading the samples, anyone waives all rights to claim punitive, incidental and consequential damages resulting from mishandling or self-infection.